Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Jun 2014 00:15:08 -0600
From: Kurt Seifried <>
Subject: Re: Re: Question regarding CVE applicability of missing
 HttpOnly flag

Hash: SHA1

On 27/06/14 07:09 PM, Vincent Danen wrote:
> On 06/27/2014, at 14:03 PM, wrote:
>>> I suppose maybe there is a CWE for not having a virus scanner,
>>> which makes sense as that could be considered an overall system
>>> weakness.
>> Neither CVE nor CWE attempts to cover the general topic of
>> system integration, i.e., questions such as "given the
>> composition and role of this entire system, is it unreasonable to
>> omit a virus scanner?" In practice, both CVE and CWE often tend
>> to be about questions that may come up when considering somewhere
>> around one line of code or one file of code. (This is just an
>> observational statement, not an attempt to redefine why CVE and
>> CWE exist.) Typical audiences may include (among others)
>> developers who need to write a line of code safely or system 
>> administrators who need to patch a faulty line of code.
>> This doesn't mean that there's any objection to someone taking
>> the position that lack of a virus scanner is the most serious
>> security concern that they see in an entire system. This is a
>> valid perspective but is outside of the problem spaces in which
>> CVE and CWE have been operating. Even if everyone were looking at
>> "whether or not a flaw is a flaw" decisions in precisely the same
>> way, a conclusion of "yes, this system would really benefit from
>> a virus scanner" leaves open the question of the best place to
>> capture that information.
> Then shouldn't be the same be true of the HttpOnly flag?  That line
> of thought is pretty much what I think in regards to that flag.
> I don't know if you missed my comment in an earlier message, so
> I'll note it below because I think this is the real point:
> "Kurt's argument about everything having an XSS makes it sound
> like, and the reasoning provided here as well, that we should no
> longer consider XSS a security flaw, but the absence of HttpOnly
> the security flaw.  I mean, if setting this flag "fixes" all XSS
> issues, then we should no longer be assigning CVEs to XSS issues,
> only to web servers/services that do not set HttpOnly or browsers
> that do not respect/handle it properly.  They can't _both_ get CVEs
> or be considered flaws, can they?"

Actually my point was more that back in the day cookie theft was
relatively rare, now it is pretty common thanks largely to XSS:

so in my opinion we should assume most web based apps have XSS vulns
(I think that's a safe assumption =), as such then the use of HTTPOnly
on cookies becomes a virtual necessity to protect cookies as opposed
to a "nice to have hardening feature". In other words the security bar
should be moved (at least that's my opinion).

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.